Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-23375
Publication date:
19/02/2022
WikiDocs version 0.1.18 has an authenticated remote code execution vulnerability. An attacker can upload a malicious file using the image upload form through index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2022

CVE-2022-0689
Publication date:
19/02/2022
Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2022

CVE-2022-0632
Publication date:
19/02/2022
NULL Pointer Dereference in Homebrew mruby prior to 3.2.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2022

CVE-2022-0630
Publication date:
19/02/2022
Out-of-bounds Read in Homebrew mruby prior to 3.2.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2022

CVE-2022-0678
Publication date:
19/02/2022
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2022

CVE-2022-0409
Publication date:
19/02/2022
Unrestricted Upload of File with Dangerous Type in Packagist showdoc/showdoc prior to 2.10.2.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2022

CVE-2016-20013
Publication date:
19/02/2022
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-24980
Publication date:
19/02/2022
An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2022

CVE-2022-24979
Publication date:
19/02/2022
An issue was discovered in the Varnishcache extension before 2.0.1 for TYPO3. The Edge Site Includes (ESI) content element renderer component does not include an access check. This allows an unauthenticated user to render various content elements, resulting in insecure direct object reference (IDOR), with the potential of exposing internal content elements.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2022

CVE-2022-25366
Publication date:
19/02/2022
Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements. An attacker can exploit this by creating a malicious .dylib file that can be executed via the DYLD_INSERT_LIBRARIES environment variable.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-25365
Publication date:
19/02/2022
Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2022

CVE-2022-25256
Publication date:
19/02/2022
SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2022
Subscribe to Vulnerabilities